<?php
/**
 * Copyright 2011 Facebook, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may
 * not use this file except in compliance with the License. You may obtain
 * a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and limitations
 * under the License.
 */

if (! function_exists ( 'curl_init' )) {
	throw new Exception ( 'Facebook needs the CURL PHP extension.' );
}
if (! function_exists ( 'json_decode' )) {
	function json_decode($data, $assoc = false) {
		return Zend_Json::decode ( $data, $assoc );
	}

	//throw new Exception('Facebook needs the JSON PHP extension.');
}
if (! function_exists ( 'json_encode' )) {
	function json_encode($value) {
		return Zend_Json::encode ( $value );
	}
}

/**
 * Provides access to the Facebook Platform.  This class provides
 * a majority of the functionality needed, but the class is abstract
 * because it is designed to be subclassed.  The subclass must
 * implement the three abstract methods listed at the bottom of
 * the file.
 *
 * @author Naitik Shah <naitik@facebook.com>
 */
abstract class Inviter_Facebook_Base {
	/**
	 * Version.
	 */
	const VERSION = '3.0.1';
	
	/**
	 * Default options for curl.
	 */
	public static $CURL_OPTS = array (CURLOPT_CONNECTTIMEOUT => 100, CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 300, CURLOPT_USERAGENT => 'facebook-php-3.0', # fix for http://github.com/facebook/php-sdk/issues/issue/99
	CURLOPT_SSL_VERIFYPEER => false, CURLOPT_SSL_VERIFYHOST => 2 );
	
	/**
	 * List of query parameters that get automatically dropped when rebuilding
	 * the current URL.
	 */
	protected static $DROP_QUERY_PARAMS = array ('code', 'state', 'signed_request' );
	
	/**
	 * Maps aliases to Facebook domains.
	 */
	public static $DOMAIN_MAP = array ('api' => 'https://api.facebook.com/', 'api_video' => 'https://api-video.facebook.com/', 'api_read' => 'https://api-read.facebook.com/', 'graph' => 'https://graph.facebook.com/', 'www' => 'https://www.facebook.com/' );
	
	/**
	 * The Application ID.
	 */
	protected $appId;
	
	/**
	 * The Application API Secret.
	 */
	protected $apiSecret;
	
	/**
	 * The ID of the Facebook user, or 0 if the user is logged out.
	 */
	protected $user;
	
	/**
	 * The data from the signed_request token.
	 */
	protected $signedRequest;
	
	/**
	 * A CSRF state variable to assist in the defense against
	 * CSRF attacks.
	 */
	protected $state;
	
	/**
	 * The OAuth access token received in exchange for a valid authorization
	 * code.  null means the access token has yet to be determined.
	 */
	protected $accessToken = null;
	
	/**
	 * Indicates if the CURL based @ syntax for file uploads is enabled.
	 */
	protected $fileUploadSupport = false;
	
	/**
	 * Initialize a Facebook Application.
	 *
	 * The configuration:
	 * - appId: the application ID
	 * - secret: the application secret
	 * - fileUpload: (optional) boolean indicating if file uploads are enabled
	 *
	 * @param Array $config the application configuration
	 */
	public function __construct($config) {
		$this->setAppId ( $config ['appId'] );
		$this->setApiSecret ( $config ['secret'] );
		if (isset ( $config ['fileUpload'] )) {
			$this->setFileUploadSupport ( $config ['fileUpload'] );
		}
		
		$state = $this->getPersistentData ( 'state' );
		if (! empty ( $state )) {
			$this->state = $this->getPersistentData ( 'state' );
		}
	}
	
	/**
	 * Set the Application ID.
	 *
	 * @param String $appId the Application ID
	 */
	public function setAppId($appId) {
		$this->appId = $appId;
		return $this;
	}
	
	/**
	 * Get the Application ID.
	 *
	 * @return String the Application ID
	 */
	public function getAppId() {
		return $this->appId;
	}
	
	/**
	 * Set the API Secret.
	 *
	 * @param String $appId the API Secret
	 */
	public function setApiSecret($apiSecret) {
		$this->apiSecret = $apiSecret;
		return $this;
	}
	
	/**
	 * Get the API Secret.
	 *
	 * @return String the API Secret
	 */
	public function getApiSecret() {
		return $this->apiSecret;
	}
	
	/**
	 * Set the file upload support status.
	 *
	 * @param Boolean the file upload support status.
	 */
	public function setFileUploadSupport($fileUploadSupport) {
		$this->fileUploadSupport = $fileUploadSupport;
		return $this;
	}
	
	/**
	 * Get the file upload support status.
	 *
	 * @return Boolean true if and only if the server supports
	 * file upload.
	 */
	public function useFileUploadSupport() {
		return $this->fileUploadSupport;
	}
	
	/**
	 * Sets the access token for api calls.  Use this if you get
	 * your access token by other means and just want the SDK
	 * to use it.
	 *
	 * @param String $access_token an access token.
	 */
	public function setAccessToken($access_token) {
		$this->accessToken = $access_token;
		return $this;
	}
	
	/**
	 * Determines the access token that should be used for API calls.
	 * The first time this is called, $this->accessToken is set equal
	 * to either a valid user access token, or it's set to the application
	 * access token if a valid user access token wasn't available.  Subsequent
	 * calls return whatever the first call returned.
	 *
	 * @return String the access token
	 */
	public function getAccessToken() {
		if ($this->accessToken !== null) {
			// we've done this already and cached it.  Just return.
			return $this->accessToken;
		}
		
		// first establish access token to be the application
		// access token, in case we navigate to the /oauth/access_token
		// endpoint, where SOME access token is required.
		$this->setAccessToken ( $this->getApplicationAccessToken () );
		if ($user_access_token = $this->getUserAccessToken ()) {
			$this->setAccessToken ( $user_access_token );
		}
		
		return $this->accessToken;
	}
	
	/**
	 * Determines and returns the user access token, first using
	 * the signed request if present, and then falling back on
	 * the authorization code if present.  The intent is to
	 * return a valid user access token, or false if one is determined
	 * to not be available.
	 *
	 * @return String a valid user access token, or false if one
	 * could not be determined.
	 */
	protected function getUserAccessToken() {
		// first, consider a signed request if it's supplied.
		// if there is a signed request, then it alone determines
		// the access token.
		$signed_request = $this->getSignedRequest ();
		if ($signed_request) {
			if (array_key_exists ( 'oauth_token', $signed_request )) {
				$access_token = $signed_request ['oauth_token'];
				$this->setPersistentData ( 'access_token', $access_token );
				return $access_token;
			}
			
			// signed request states there's no access token, so anything
			// stored should be cleared.
			$this->clearAllPersistentData ();
			return false; // respect the signed request's data, even
		// if there's an authorization code or something else
		}
		
		$code = $this->getCode ();
		if ($code && $code != $this->getPersistentData ( 'code' )) {
			$access_token = $this->getAccessTokenFromCode ( $code );
			if ($access_token) {
				$this->setPersistentData ( 'code', $code );
				$this->setPersistentData ( 'access_token', $access_token );
				return $access_token;
			}
			
			// code was bogus, so everything based on it should be invalidated.
			$this->clearAllPersistentData ();
			return false;
		}
		
		// as a fallback, just return whatever is in the persistent
		// store, knowing nothing explicit (signed request, authorization
		// code, etc.) was present to shadow it (or we saw a code in $_REQUEST,
		// but it's the same as what's in the persistent store)
		return $this->getPersistentData ( 'access_token' );
	}
	
	/**
	 * Get the data from a signed_request token.
	 *
	 * @return String the base domain
	 */
	public function getSignedRequest() {
		if (! $this->signedRequest) {
			if (isset ( $_REQUEST ['signed_request'] )) {
				$this->signedRequest = $this->parseSignedRequest ( $_REQUEST ['signed_request'] );
			}
		}
		return $this->signedRequest;
	}
	
	/**
	 * Get the UID of the connected user, or 0
	 * if the Facebook user is not connected.
	 *
	 * @return String the UID if available.
	 */
	public function getUser() {
		if ($this->user !== null) {
			// we've already determined this and cached the value.
			return $this->user;
		}
		
		return $this->user = $this->getUserFromAvailableData ();
	}
	
	/**
	 * Determines the connected user by first examining any signed
	 * requests, then considering an authorization code, and then
	 * falling back to any persistent store storing the user.
	 *
	 * @return Integer the id of the connected Facebook user, or 0
	 * if no such user exists.
	 */
	protected function getUserFromAvailableData() {
		// if a signed request is supplied, then it solely determines
		// who the user is.
		$signed_request = $this->getSignedRequest ();
		if ($signed_request) {
			if (array_key_exists ( 'user_id', $signed_request )) {
				$user = $signed_request ['user_id'];
				$this->setPersistentData ( 'user_id', $signed_request ['user_id'] );
				return $user;
			}
			
			// if the signed request didn't present a user id, then invalidate
			// all entries in any persistent store.
			$this->clearAllPersistentData ();
			return 0;
		}
		
		$user = $this->getPersistentData ( 'user_id', $default = 0 );
		$persisted_access_token = $this->getPersistentData ( 'access_token' );
		
		// use access_token to fetch user id if we have a user access_token, or if
		// the cached access token has changed.
		$access_token = $this->getAccessToken ();
		if ($access_token && $access_token != $this->getApplicationAccessToken () && ! ($user && $persisted_access_token == $access_token)) {
			$user = $this->getUserFromAccessToken ();
			if ($user) {
				$this->setPersistentData ( 'user_id', $user );
			} else {
				$this->clearAllPersistentData ();
			}
		}
		
		return $user;
	}
	
	/**
	 * Get a Login URL for use with redirects. By default, full page redirect is
	 * assumed. If you are using the generated URL with a window.open() call in
	 * JavaScript, you can pass in display=popup as part of the $params.
	 *
	 * The parameters:
	 * - redirect_uri: the url to go to after a successful login
	 * - scope: comma separated list of requested extended perms
	 *
	 * @param Array $params provide custom parameters
	 * @return String the URL for the login flow
	 */
	public function getLoginUrl($params = array()) {
		$this->establishCSRFTokenState ();
		$currentUrl = $this->getCurrentUrl ();
		return $this->getUrl ( 'www', 'dialog/oauth', array_merge ( array ('client_id' => $this->getAppId (), 'redirect_uri' => $currentUrl, // possibly overwritten
'state' => $this->state ), $params ) );
	}
	
	/**
	 * Get a Logout URL suitable for use with redirects.
	 *
	 * The parameters:
	 * - next: the url to go to after a successful logout
	 *
	 * @param Array $params provide custom parameters
	 * @return String the URL for the logout flow
	 */
	public function getLogoutUrl($params = array()) {
		return $this->getUrl ( 'www', 'logout.php', array_merge ( array ('next' => $this->getCurrentUrl (), 'access_token' => $this->getAccessToken () ), $params ) );
	}
	
	/**
	 * Get a login status URL to fetch the status from Facebook.
	 *
	 * The parameters:
	 * - ok_session: the URL to go to if a session is found
	 * - no_session: the URL to go to if the user is not connected
	 * - no_user: the URL to go to if the user is not signed into facebook
	 *
	 * @param Array $params provide custom parameters
	 * @return String the URL for the logout flow
	 */
	public function getLoginStatusUrl($params = array()) {
		return $this->getUrl ( 'www', 'extern/login_status.php', array_merge ( array ('api_key' => $this->getAppId (), 'no_session' => $this->getCurrentUrl (), 'no_user' => $this->getCurrentUrl (), 'ok_session' => $this->getCurrentUrl (), 'session_version' => 3 ), $params ) );
	}
	
	/**
	 * Make an API call.
	 *
	 * @param Array $params the API call parameters
	 * @return the decoded response
	 */
	public function api(/* polymorphic */) {
		$args = func_get_args ();
		if (is_array ( $args [0] )) {
			return $this->_restserver ( $args [0] );
		} else {
			return call_user_func_array ( array ($this, '_graph' ), $args );
		}
	}
	
	/**
	 * Get the authorization code from the query parameters, if it exists,
	 * and otherwise return false to signal no authorization code was
	 * discoverable.
	 *
	 * @return mixed the authorization code, or false if the authorization
	 * code could not be determined.
	 */
	protected function getCode() {
		if (isset ( $_REQUEST ['code'] )) {
			if ($this->state !== null && isset ( $_REQUEST ['state'] ) && $this->state === $_REQUEST ['state']) {
				
				// CSRF state has done its job, so clear it
				$this->state = null;
				$this->clearPersistentData ( 'state' );
				return $_REQUEST ['code'];
			} else {
				self::errorLog ( 'CSRF state token does not match one provided.' );
				return false;
			}
		}
		
		return false;
	}
	
	/**
	 * Retrieves the UID with the understanding that
	 * $this->accessToken has already been set and is
	 * seemingly legitimate.  It relies on Facebook's Graph API
	 * to retreive user information and then extract
	 * the user ID.
	 *
	 * @return Integer returns the UID of the Facebook user, or
	 * 0 if the Facebook user could not be determined.
	 */
	protected function getUserFromAccessToken() {
		try {
			$user_info = $this->api ( '/me' );
			return $user_info ['id'];
		} catch ( Facebook_Exception $e ) {
			throw $e;
			exit ();
			return 0;
		}
	}
	
	/**
	 * Returns the access token that should be used for logged out
	 * users when no authorization code is available.
	 *
	 * @return String the application access token, useful for
	 * gathering public information about users and applications.
	 */
	protected function getApplicationAccessToken() {
		return $this->appId . '|' . $this->apiSecret;
	}
	
	/**
	 * Lays down a CSRF state token for this process.
	 *
	 * @return void
	 */
	protected function establishCSRFTokenState() {
		if ($this->state === null) {
			$this->state = md5 ( uniqid ( mt_rand (), true ) );
			$this->setPersistentData ( 'state', $this->state );
		}
	}
	
	/**
	 * Retreives an access token for the given authorization code
	 * (previously generated from www.facebook.com on behalf of
	 * a specific user).  The authorization code is sent to graph.facebook.com
	 * and a legitimate access token is generated provided the access token
	 * and the user for which it was generated all match, and the user is
	 * either logged in to Facebook or has granted an offline access permission.
	 *
	 * @param String $code an authorization code.
	 * @return mixed an access token exchanged for the authorization code, or
	 * false if an access token could not be generated.
	 */
	protected function getAccessTokenFromCode($code) {
		if (empty ( $code )) {
			return false;
		}
		
		try {
			// need to circumvent json_decode by calling _oauthRequest
			// directly, since response isn't JSON format.
			$access_token_response = $this->_oauthRequest ( $this->getUrl ( 'graph', '/oauth/access_token' ), $params = array ('client_id' => $this->getAppId (), 'client_secret' => $this->getApiSecret (), 'redirect_uri' => $this->getCurrentUrl (), 'code' => $code ) );
		} catch ( Facebook_Exception $e ) {
			throw $e;
			exit ();
			// most likely that user very recently revoked authorization.
			// In any event, we don't have an access token, so say so.
			return false;
		}
		
		if (empty ( $access_token_response )) {
			return false;
		}
		
		$response_params = array ();
		parse_str ( $access_token_response, $response_params );
		if (! isset ( $response_params ['access_token'] )) {
			return false;
		}
		
		return $response_params ['access_token'];
	}
	
	/**
	 * Invoke the old restserver.php endpoint.
	 *
	 * @param Array $params method call object
	 * @return the decoded response object
	 * @throws Facebook_Exception
	 */
	protected function _restserver($params) {
		// generic application level parameters
		$params ['api_key'] = $this->getAppId ();
		$params ['format'] = 'json-strings';
		
		$result = json_decode ( $this->_oauthRequest ( $this->getApiUrl ( $params ['method'] ), $params ), true );
		
		// results are returned, errors are thrown
		if (is_array ( $result ) && isset ( $result ['error_code'] )) {
			throw new Facebook_Exception ( $result );
		}
		
		return $result;
	}
	
	/**
	 * Invoke the Graph API.
	 *
	 * @param String $path the path (required)
	 * @param String $method the http method (default 'GET')
	 * @param Array $params the query/post data
	 * @return the decoded response object
	 * @throws Facebook_Exception
	 */
	protected function _graph($path, $method = 'GET', $params = array()) {
		if (is_array ( $method ) && empty ( $params )) {
			$params = $method;
			$method = 'GET';
		}
		$params ['method'] = $method; // method override as we always do a POST
		

		$result = json_decode ( $this->_oauthRequest ( $this->getUrl ( 'graph', $path ), $params ), true );
		
		// results are returned, errors are thrown
		if (is_array ( $result ) && isset ( $result ['error'] )) {
			$this->throwAPIException ( $result );
		}
		
		return $result;
	}
	
	/**
	 * Make a OAuth Request.
	 *
	 * @param String $path the path (required)
	 * @param Array $params the query/post data
	 * @return the decoded response object
	 * @throws Facebook_Exception
	 */
	protected function _oauthRequest($url, $params) {
		if (! isset ( $params ['access_token'] )) {
			$params ['access_token'] = $this->getAccessToken ();
		}
		
		// json_encode all params values that are not strings
		foreach ( $params as $key => $value ) {
			if (! is_string ( $value )) {
				$params [$key] = json_encode ( $value );
			}
		}
		
		return $this->makeRequest ( $url, $params );
	}
	
	/**
	 * Makes an HTTP request. This method can be overriden by subclasses if
	 * developers want to do fancier things or use something other than curl to
	 * make the request.
	 *
	 * @param String $url the URL to make the request to
	 * @param Array $params the parameters to use for the POST body
	 * @param CurlHandler $ch optional initialized curl handle
	 * @return String the response text
	 */
	protected function makeRequest($url, $params, $ch = null) {
		if (! $ch) {
			$ch = curl_init ();
		}
		
		$opts = self::$CURL_OPTS;
		if ($this->useFileUploadSupport ()) {
			$opts [CURLOPT_POSTFIELDS] = $params;
		} else {
			$opts [CURLOPT_POSTFIELDS] = http_build_query ( $params, null, '&' );
		}
		$opts [CURLOPT_URL] = $url;
		
		// disable the 'Expect: 100-continue' behaviour. This causes CURL to wait
		// for 2 seconds if the server does not support this header.
		if (isset ( $opts [CURLOPT_HTTPHEADER] )) {
			$existing_headers = $opts [CURLOPT_HTTPHEADER];
			$existing_headers [] = 'Expect:';
			$opts [CURLOPT_HTTPHEADER] = $existing_headers;
		} else {
			$opts [CURLOPT_HTTPHEADER] = array ('Expect:' );
		}
		
		curl_setopt_array ( $ch, $opts );
		$result = curl_exec ( $ch );
		
		if (curl_errno ( $ch ) == 60) { // CURLE_SSL_CACERT
			self::errorLog ( 'Invalid or no certificate authority found, ' . 'using bundled information' );
			curl_setopt ( $ch, CURLOPT_CAINFO, dirname ( __FILE__ ) . '/fb_ca_chain_bundle.crt' );
			$result = curl_exec ( $ch );
		}
		
		if ($result === false) {
			$e = new Facebook_Exception ( array ('error_code' => curl_errno ( $ch ), 'error' => array ('message' => curl_error ( $ch ), 'type' => 'CurlException' ) ) );
			curl_close ( $ch );
			throw $e;
		}
		curl_close ( $ch );
		return $result;
	}
	
	/**
	 * Parses a signed_request and validates the signature.
	 *
	 * @param String A signed token
	 * @return Array the payload inside it or null if the sig is wrong
	 */
	protected function parseSignedRequest($signed_request) {
		list ( $encoded_sig, $payload ) = explode ( '.', $signed_request, 2 );
		
		// decode the data
		$sig = self::base64UrlDecode ( $encoded_sig );
		$data = json_decode ( self::base64UrlDecode ( $payload ), true );
		
		if (strtoupper ( $data ['algorithm'] ) !== 'HMAC-SHA256') {
			self::errorLog ( 'Unknown algorithm. Expected HMAC-SHA256' );
			return null;
		}
		
		// check sig
		$expected_sig = hash_hmac ( 'sha256', $payload, $this->getApiSecret (), $raw = true );
		if ($sig !== $expected_sig) {
			self::errorLog ( 'Bad Signed JSON signature!' );
			return null;
		}
		
		return $data;
	}
	
	/**
	 * Build the URL for api given parameters.
	 *
	 * @param $method String the method name.
	 * @return String the URL for the given parameters
	 */
	protected function getApiUrl($method) {
		static $READ_ONLY_CALLS = array ('admin.getallocation' => 1, 'admin.getappproperties' => 1, 'admin.getbannedusers' => 1, 'admin.getlivestreamvialink' => 1, 'admin.getmetrics' => 1, 'admin.getrestrictioninfo' => 1, 'application.getpublicinfo' => 1, 'auth.getapppublickey' => 1, 'auth.getsession' => 1, 'auth.getsignedpublicsessiondata' => 1, 'comments.get' => 1, 'connect.getunconnectedfriendscount' => 1, 'dashboard.getactivity' => 1, 'dashboard.getcount' => 1, 'dashboard.getglobalnews' => 1, 'dashboard.getnews' => 1, 'dashboard.multigetcount' => 1, 'dashboard.multigetnews' => 1, 'data.getcookies' => 1, 'events.get' => 1, 'events.getmembers' => 1, 'fbml.getcustomtags' => 1, 'feed.getappfriendstories' => 1, 'feed.getregisteredtemplatebundlebyid' => 1, 'feed.getregisteredtemplatebundles' => 1, 'fql.multiquery' => 1, 'fql.query' => 1, 'friends.arefriends' => 1, 'friends.get' => 1, 'friends.getappusers' => 1, 'friends.getlists' => 1, 'friends.getmutualfriends' => 1, 'gifts.get' => 1, 'groups.get' => 1, 'groups.getmembers' => 1, 'intl.gettranslations' => 1, 'links.get' => 1, 'notes.get' => 1, 'notifications.get' => 1, 'pages.getinfo' => 1, 'pages.isadmin' => 1, 'pages.isappadded' => 1, 'pages.isfan' => 1, 'permissions.checkavailableapiaccess' => 1, 'permissions.checkgrantedapiaccess' => 1, 'photos.get' => 1, 'photos.getalbums' => 1, 'photos.gettags' => 1, 'profile.getinfo' => 1, 'profile.getinfooptions' => 1, 'stream.get' => 1, 'stream.getcomments' => 1, 'stream.getfilters' => 1, 'users.getinfo' => 1, 'users.getloggedinuser' => 1, 'users.getstandardinfo' => 1, 'users.hasapppermission' => 1, 'users.isappuser' => 1, 'users.isverified' => 1, 'video.getuploadlimits' => 1 );
		$name = 'api';
		if (isset ( $READ_ONLY_CALLS [strtolower ( $method )] )) {
			$name = 'api_read';
		} else if (strtolower ( $method ) == 'video.upload') {
			$name = 'api_video';
		}
		return self::getUrl ( $name, 'restserver.php' );
	}
	
	/**
	 * Build the URL for given domain alias, path and parameters.
	 *
	 * @param $name String the name of the domain
	 * @param $path String optional path (without a leading slash)
	 * @param $params Array optional query parameters
	 * @return String the URL for the given parameters
	 */
	protected function getUrl($name, $path = '', $params = array()) {
		$url = self::$DOMAIN_MAP [$name];
		if ($path) {
			if ($path [0] === '/') {
				$path = substr ( $path, 1 );
			}
			$url .= $path;
		}
		if ($params) {
			$url .= '?' . http_build_query ( $params, null, '&' );
		}
		
		return $url;
	}
	
	/**
	 * Returns the Current URL, stripping it of known FB parameters that should
	 * not persist.
	 *
	 * @return String the current URL
	 */
	protected function getCurrentUrl() {
		$protocol = isset ( $_SERVER ['HTTPS'] ) && $_SERVER ['HTTPS'] == 'on' ? 'https://' : 'http://';
		$currentUrl = $protocol . $_SERVER ['HTTP_HOST'] . $_SERVER ['REQUEST_URI'];
		$parts = parse_url ( $currentUrl );
		
		$query = '';
		if (! empty ( $parts ['query'] )) {
			// drop known fb params
			$params = explode ( '&', $parts ['query'] );
			$retained_params = array ();
			foreach ( $params as $param ) {
				if ($this->shouldRetainParam ( $param )) {
					$retained_params [] = $param;
				}
			}
			
			if (! empty ( $retained_params )) {
				$query = '?' . implode ( $retained_params, '&' );
			}
		}
		
		// use port if non default
		$port = isset ( $parts ['port'] ) && (($protocol === 'http://' && $parts ['port'] !== 80) || ($protocol === 'https://' && $parts ['port'] !== 443)) ? ':' . $parts ['port'] : '';
		
		// rebuild
		return $protocol . $parts ['host'] . $port . $parts ['path'] . $query;
	}
	
	/**
	 * Returns true if and only if the key or key/value pair should
	 * be retained as part of the query string.  This amounts to
	 * a brute-force search of the very small list of Facebook-specific
	 * params that should be stripped out.
	 *
	 * @param String a key or key/value pair within a URL's query (e.g.
	 * 'foo=a', 'foo=', or 'foo'.
	 */
	protected function shouldRetainParam($param) {
		foreach ( self::$DROP_QUERY_PARAMS as $drop_query_param ) {
			if (strpos ( $param, $drop_query_param . '=' ) === 0) {
				return false;
			}
		}
		
		return true;
	}
	
	/**
	 * Analyzes the supplied result to see if it was thrown
	 * because the access token is no longer valid.  If that is
	 * the case, then the persistent store is cleared.
	 *
	 * @param $result a record storing the error message returned
	 * by a failed API call.
	 */
	protected function throwAPIException($result) {
		$e = new Facebook_Exception ( $result );
		switch ($e->getType ()) {
			// OAuth 2.0 Draft 00 style
			case 'OAuthException' :
			// OAuth 2.0 Draft 10 style
			case 'invalid_token' :
				$message = $e->getMessage ();
				if ((strpos ( $message, 'Error validating access token' ) !== false) || (strpos ( $message, 'Invalid OAuth access token' ) !== false)) {
					$this->setAccessToken ( null );
					$this->user = 0;
					$this->clearAllPersistentData ();
				}
		}
		
		throw $e;
	}
	
	/**
	 * Prints to the error log if you aren't in command line mode.
	 *
	 * @param String log message
	 */
	protected static function errorLog($msg) {
		// disable error log if we are running in a CLI environment
		// @codeCoverageIgnoreStart
		if (php_sapi_name () != 'cli') {
			error_log ( $msg );
		}
	
		// uncomment this if you want to see the errors on the page
	// print 'error_log: '.$msg."\n";
	// @codeCoverageIgnoreEnd
	}
	
	/**
	 * Base64 encoding that doesn't need to be urlencode()ed.
	 * Exactly the same as base64_encode except it uses
	 * - instead of +
	 * _ instead of /
	 *
	 * @param String base64UrlEncodeded string
	 */
	protected static function base64UrlDecode($input) {
		return base64_decode ( strtr ( $input, '-_', '+/' ) );
	}
	
	/**
	 * Each of the following four methods should be overridden in
	 * a concrete subclass, as they are in the provided Facebook class.
	 * The Facebook class uses PHP sessions to provide a primitive
	 * persistent store, but another subclass--one that you implement--
	 * might use a database, memcache, or an in-memory cache.
	 *
	 * @see Facebook
	 */
	abstract protected function setPersistentData($key, $value);
	abstract protected function getPersistentData($key, $default = false);
	abstract protected function clearPersistentData($key);
	abstract protected function clearAllPersistentData();
}

/**
 * Copyright 2011 Facebook, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may
 * not use this file except in compliance with the License. You may obtain
 * a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and limitations
 * under the License.
 */

// require_once "base_facebook.php";


/**
 * Extends the BaseFacebook class with the intent of using
 * PHP sessions to store user ids and access tokens.
 */
class Inviter_Api_Facebook extends Inviter_Facebook_Base {
	/**
	 * Identical to the parent constructor, except that
	 * we start a PHP session to store the user ID and
	 * access token if during the course of execution
	 * we discover them.
	 *
	 * @param Array $config the application configuration.
	 * @see BaseFacebook::__construct in facebook.php
	 */
	public function __construct($config) {
		if (! session_id ()) {
			session_start ();
		}
		parent::__construct ( $config );
	}
	
	protected static $kSupportedKeys = array ('state', 'code', 'access_token', 'user_id' );
	
	/**
	 * Provides the implementations of the inherited abstract
	 * methods.  The implementation uses PHP sessions to maintain
	 * a store for authorization codes, user ids, CSRF states, and
	 * access tokens.
	 */
	public function setPersistentData($key, $value) {
		if (! in_array ( $key, self::$kSupportedKeys )) {
			self::errorLog ( 'Unsupported key passed to setPersistentData.' );
			return;
		}
		
		$session_var_name = $this->constructSessionVariableName ( $key );
		$_SESSION [$session_var_name] = $value;
	}
	
	public function getPersistentData($key, $default = false) {
		if (! in_array ( $key, self::$kSupportedKeys )) {
			self::errorLog ( 'Unsupported key passed to getPersistentData.' );
			return $default;
		}
		
		$session_var_name = $this->constructSessionVariableName ( $key );
		return isset ( $_SESSION [$session_var_name] ) ? $_SESSION [$session_var_name] : $default;
	}
	
	public function clearPersistentData($key) {
		if (! in_array ( $key, self::$kSupportedKeys )) {
			self::errorLog ( 'Unsupported key passed to clearPersistentData.' );
			return;
		}
		
		$session_var_name = $this->constructSessionVariableName ( $key );
		unset ( $_SESSION [$session_var_name] );
	}
	
	public function clearAllPersistentData() {
		foreach ( self::$kSupportedKeys as $key ) {
			$this->clearPersistentData ( $key );
		}
	}
	
	public function constructSessionVariableName($key) {
		return implode ( '_', array ('fb', $this->getAppId (), $key ) );
	}
}